Facebook's new Graph Search features create phishing wonderland
Feature's search results now incorporate wealth of extra information
By Steve Ragan , Staff Writer
October 01, 2013 — CSO — Facebook has announced new changes to the way Graph Search discovers information, including the fact that status updates, photos, check-ins, and comments are now included in search results. This new stream of information offers criminals developing phishing campaigns all-new attack surfaces to exploit.
On Monday, Facebook revealed the latest changes to their Graph Search function, a tool that allows people to search for specific content on the social network. Previously, Graph Search was limited to information on a person's profile or pages on the site, but now additional information, such as status updates, photos, check-ins, and comments will become discoverable as well. While these features are being touted by the social giant as a good thing, the risk they create is anything but.
This new stream of data offers a potential goldmine for criminals developing phishing campaigns, and for more experienced attackers, because searches can now focus on certain groups of people, from a given area, who are interested in, or have a relation to, a specific business, organization, topic, or hobby. It's even possible to filter results by time, details from long forgotten comments or posts to see the light of day once again.
The data that is returned for a given search is limited only by the privacy settings on the post itself, or the overall settings by the user or their friends. Unfortunately, many people are still on default settings. As such, their profiles — including posts — are set to be shared to a much wider audience than they may intend.
"Facebook has a long standing tradition of dragging users to share more information — even if they don't ask," Trevor Hawthorn, the CTO of ThreatSim, told CSO.
ThreatSim is a company that focuses on spear phishing, and awareness training. Earlier this year, the company released stats for the Verizon Business Data Breach Investigations Report that the success of a given phishing campaign isn't hard to track, noting that it takes three emails before a target will click on a link or an attachment.
"Running a campaign with just three e-mails gives the attacker a bitter than 50% chance of getting at least one click. Run that campaign twice, and that probability goes up to 80%, and sending 10 e-mails approaches the point where most attackers would be able to slap a 'guaranteed' sticker on getting a click," the Verizon report explains.
Half of the clicks within a given phishing campaign will happen within 12 hours of the first e-mail being sent, but clicks alone do not equate to a successful compromise. However, the more focused the campaign; the overall odds of this happening are stronger. This is why enhanced searching on Facebook could spell trouble, and why organizations and the people in them need to be mindful of protecting what they post.